Samas Ransomware Deletes Veeam Backups, and Maybe Yours Too

Do you feel secure against ransomware attacks because you have all your data assets copied to Veeam backups? Well, this isn't intended to panic you, but that feeling of safety and security has been shattered for businesses small and large by the insidious 'Samas' ransomware. Up until very recently, whenever ransomware gained network access, it would routinely target backup directories, but only to encrypt them and make them unusable until a ransom was paid.

Now, however, Samas has upped the ante, and found a way to completely delete backup repositories, even when those repositories do not allow write-access. This is not a misprint, and is not speculative in nature - it has already happened at a small private school. After a ransomware attack, the Veeam support team was called in to investigate the curious disappearance of the Veeam_backups folder on the school server, and they were forced to concede that Samas had penetrated the security scheme. No backups - anywhere.

A Shocking Development

One of the actions taken by school officials following the attack, was to call the FBI, and inquire about the possibility of backups being deleted. The FBI spokesman concurred with the Veeam technicians, confirming that the agency was unaware of any single instance where some kind of ransomware had the capability to actually delete the contents of backup folders. Needless to say, that governmental agency now has a case history to refer to for future incidents of a similar nature.

The FBI said he had never seen ransomware delete backups....

The investigation turned up the fact that just two days before the ransomware attack, more than 200 GB of data had been written to the backup repository, and at that time, it was fully functional and bursting with data. Apparently the backups were targeted because the malware was looking for files with a .bak extension, and in this case, found them and completely deleted them. Of course, this makes the ransom demand even more compelling, since no 'rescue' would be possible from a saved copy of business data.

Recommendations

This Samas ransomware is still very new, and is not yet recognized by many of the anti-virus and malware scripts available today, which means that it is incumbent upon the user or IT director of a company to take immediate steps against this kind of cyberattack. The first, and most effective measure, should be to store your backups completely offline or at a remote location, where any invading virus cannot find them. A secondary safeguard would be to prepare a script which updates all important backup databases to have a file extension other than .bak, so they would be invisible to ransomware agents.

Don't Take A chance On Data Security

If your company lacks the in-house expertise to completely protect against Samas, or any other kind of cyberattack, your best option may be to contact the security experts for a consultation that might save your business. Our experts keep researching making it their business to be aware of all the latest developments in the world of cyber crime, and can help your business be better prepared for what may be coming. As the private school incident demonstrates, someone or some company has to be the first one to be attacked by any new kind of virus or ransomware. Download our special report to learn how you can protect yourself and data assets:

If you've been thinking that the main purpose of data backups is to protect your company against some kind of natural disaster, or data corruption on the network, it's time to re-think your position. These days, data backups are the first line of defense against ransomware attacks, and other criminal-minded breaches perpetrated by hackers looking to exploit your system for profit. Call 646-755-3933 today, and be as prepared as possible!